2026-05
2026-05
This release tracker is LLM-curated and based on the official Microsoft product sources listed below. It provides an architect-grade summary of recent features, changes, and announcements. Always verify critical details against the official documentation. List of all raw markdown files for the releases are at https://github.com/pisinger/pisinger.github.io/tree/main/_ms_release_radar
Microsoft Security Release Radar - May 2026
π¦ Azure Container Apps
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π‘ | Defender for Cloud support for Azure Container Apps (Serverless Containers Posture) | Preview | Bring Azure Container Apps environments into Defender for Cloudβs Serverless Containers Posture experience for unified container posture management. |
| π’ | Confidential Compute support on Azure Container Apps | GA | Run regulated/sensitive containerized workloads with stronger in-memory data protection and compliance controls. |
| π’ | Monitor HTTP traffic in Azure Container Apps | GA | New ContainerAppHTTPLogs diagnostic setting category exposes detailed HTTP access logs for high-volume request data via Azure Monitor. |
| π’ | OpenTelemetry destinations (New Relic, Dynatrace, Elastic) | GA | Expanded OTel endpoint options for third-party observability platforms. |
| π’ | Override Scale Rules in Azure Functions on Azure Container Apps | GA | New allowScalingRuleOverride property lets customers override platform-managed KEDA scale rules. |
| π‘ | Azure Container Apps Sandboxes | Preview | Hyper-V isolated sandboxes for running untrusted code safely with pre-warmed pools and MCP integration. |
| π‘ | Azure Container Apps Express | Preview | Streamlined container deployment without environment setup; sub-second startup and scale-to-zero by default. |
| π΅ | Running production AI agents on Azure Container Apps | Update | Foundry Agent Service uses ACA as runtime for long-running, event-driven AI agents with serverless scaling and isolation. |
| π΅ | Custom scaling control with KEDA rule overrides | Update | Override platform-generated KEDA rules for full control over scaling thresholds, event sources, and multi-signal scenarios. |
| π΅ | Modernizing legacy applications to ACA | Update | GitHub Copilot App Modernization reduces legacy-to-ACA migration effort from weeks to hours with managed identity and Key Vault integration. |
| π΅ | Safely executing AI-generated code with Dynamic Sessions | Update | Hyper-V isolated sandboxes, pre-warmed pools, and MCP integration for secure execution of untrusted/AI-generated code. |
β΅ AKS
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΄ | CVE-2026-31431 βCopy Failβ - Local Privilege Escalation in Linux kernel algif_aead | Security | CVSS 7.8 HIGH LPE vulnerability requiring code execution on the node; affects AKS nodes using the affected kernel module. |
| π΄ | Kubernetes patch versions 1.35.4, 1.34.7, 1.33.11 (Go 1.25.9) | Security | Fixes CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289. |
| π΄ | Kubernetes patch versions 1.35.5, 1.34.8, 1.33.12 | Security | Additional patch releases with security fixes. |
| π΄ | Azure Policy add-on v1.15.5-1 patches multiple CVEs | Security | Patches CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, CVE-2026-32280, CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2026-32281, CVE-2026-32283. |
| π΄ | Azure Blob CSI driver updated with latest security patches | Security | Azure Blob CSI driver v1.26.12 (AKS 1.32+) and v1.27.5 (AKS 1.34+). |
| π΄ | ACNS DNS proxy security patch updates | Security | DNS proxy v1.18.9-260520 includes security patch updates addressing CVEs. |
| π΄ | Defender for Containers sensor v0.9.53 / v0.8.50 with malware scanning | Security | Malware scanning as new optional capability; blocking support for GA Drift Detection. |
| π΄ | Defender for Containers sensor v0.10 on AKS 1.36 | Security | New sensor version with enhanced capabilities. |
| β« | Istio add-on revision asm-1-27 deprecated | Deprecation | Upgrade to revision 1.28 or later following the Istio add-on upgrade guide. |
| β« | Windows Server Annual Channel for Containers retired (May 15, 2026) | Deprecation | Last image 5B produced; migrate to LTSC by May 15, 2027. |
| β« | Windows Server 2019 retired (March 1, 2026) | Deprecation | No new node images or security patches; unsupported; removal April 1, 2027. |
| β« | Flatcar Container Linux support ends June 8, 2026 | Deprecation | Migrate to Azure Container Linux; node image removal September 8, 2026. |
| π’ | Windows Server 2025 generally available | GA | No feature flag required; supported on Kubernetes 1.32+ with CLI 2.87.0+. |
| π’ | Azure Container Linux GA on AKS v1.34+ | GA | ACL node pools available; in-place OS SKU migration supported. |
| π’ | Azure Policy add-on generates ValidatingAdmissionPolicies | GA | CEL-based policies enforced inside API server for minimal latency with fail-closed enforcement. |
| π’ | AKS end of support notifications | GA | Automatic notifications via Azure Resource Graph and Event Grid when cluster version approaches/ passes end of support. |
| π‘ | Azure Linux 3.0 confidential VM preview (Fairfax regions) | Preview | Register AzureLinuxCVMPreview feature flag to enable. |
| π‘ | In-place node pool resize | Preview | Resize VMSS node pool VM size via az aks nodepool update --node-vm-size without migration. |
| π‘ | Automatic Pod Disruption Budget management | Preview | AKS auto-creates PDBs and scales replicas to unblock node drain during upgrades. |
| π΅ | AKS-2026-0004: Container Insights nodes/proxy RCE risk on K8s < 1.33 | Update | Container Insights add-on uses nodes/proxy permission on clusters < v1.33; upgrade to v1.33+ for fine-grained nodes/pods subresource. |
| π΅ | Kubernetes 1.36 Preview rolling out | Update | New version being rolled out across regions. |
| π΅ | LocalDNS auto-enabled on node pools running K8s 1.36+ | Update | Automatic enablement with exclusion options for pre-configured or BYO CNI clusters. |
| π΅ | NAP Standard SKU defaults to LocalDNS mode Preferred on K8s 1.36+ | Update | Improved DNS resolution performance and resilience. |
| π΅ | Application routing Gateway API access logs to stdout | Update | Managed Istio configuration now writes access logs to stdout by default. |
| π΅ | Application routing DNS/TLS integration with Gateway API | Update | TLS via Key Vault CSI driver; DNS A records via ExternalDNS CRDs. |
| π΅ | Migration to block/none outbound types from managedNATGatewayV2 | Update | Supports network-isolated cluster scenarios. |
| π΅ | Pod CIDR validation for kubenet and Azure CNI Overlay | Update | Blocks overlapping with reserved ranges 172.30.0.0/16 and 172.31.0.0/16. |
| π΅ | Calico NPM/Azure NPM blocked on K8s < 1.30 | Update | Install/uninstall operations rejected at API level; existing clusters unaffected. |
| π΅ | AGIC add-on blocked from using aks-appgateway subnet | Update | Subnet reserved for Application Gateway for Containers. |
| π΅ | Managed system node pools GA for AKS Automatic | Update | Multiple security restrictions: blocks SSH keys, externalIPs, port-forward on system pool, kube-system secret access, mutating admission resources. |
| π΅ | Deployment safeguards Enforce mode allows /var/log and /hostfs read-only | Update | Supports log exporter scenarios on Automatic clusters. |
| π΅ | Istio webhook fix for v1beta1 Gateway resources | Update | Fixed βUnknown gvkβ error from admission webhook. |
| π΅ | Multiple Standard Load Balancers rebalance fix for orphaned nodes | Update | Orphaned nodes now included during rebalancing. |
| π΅ | Cluster create/update failure on Karpenter/KEDA silent install failure | Update | Operation now fails with descriptive error instead of silent success. |
| π΅ | Azure Disk CSI driver upgrades | Update | v1.33.10 (AKS 1.33/1.34), v1.34.4 (AKS 1.35). |
| π΅ | Azure File CSI driver upgrades | Update | v1.33.10 (AKS 1.33), v1.34.6 (AKS 1.34), v1.35.3 (AKS 1.35). |
| π΅ | Cloud Provider Azure v1.36.0 | Update | cloud-controller-manager and cloud-node-manager updated; health-probe-proxy updated. |
| π΅ | Azure CNI Powered by Cilium updates | Update | Cilium v1.19.3 (K8s 1.36+), v1.18.9 (K8s 1.34). |
| π΅ | Azure Monitor Prometheus add-on v7.0.0 | Update | May release incorporated. |
| π΅ | NAP Karpenter provider v1.12.1 | Update | Updated Karpenter provider. |
| π΅ | AKS Windows and Linux node image updates | Update | Multiple VHD updates for Windows Server 2022/2025/23H2, Azure Linux v3.0, Ubuntu 22.04/24.04. |
π Azure Monitor
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Workspace replication supports private links during failover | GA | Removes previous limitation blocking private endpoint customers in BCDR scenarios. |
βοΈ Microsoft Defender Cloud Apps
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π‘ | Disable informational alerts for unsanctioned app access | Preview | New toggle suppresses informational alerts while keeping blocking enforcement active. |
π§ Microsoft Copilot Studio
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Computer use for agents | GA | Agents can automate web and desktop apps by controlling browsers and desktop applications. |
| π’ | Prompt node in agent flows | GA | Single AI call with dynamic content and model selection for translation, extraction, etc. |
| π’ | Microsoft 365 Copilot node | GA | Send prompts to M365 Copilot or specific agents for research and audit drafting. |
| π’ | Consent-based recording on voice agents | GA | Configurable compliance behavior and retention settings for call recording consent. |
| π’ | Agent inventory schema | GA | Discover and audit all Copilot Studio agents via admin center, API, or Azure Resource Graph. |
| π‘ | Agent readiness and issue status page | Preview | Consolidated status page with publishing errors, runtime issues, and configuration blocks. |
| π’ | Asynchronous responses for agent flows | GA | Long-running processes can exceed the two-minute limit. |
| π‘ | Microsoft Entra agent identities per agent | Preview | Scope connector permissions, Conditional Access, and DLP governance to individual agents. |
| π‘ | Computer use standalone tools | Preview | Modular, reusable UI automation with built-in governance and observability. |
| π‘ | Mistral Medium 3.5 as primary AI model | Preview | Experimental option alongside Anthropic, xAI, and other providers. |
π¬ Defender Container Sensor
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Sensor v0.10.5 - Runtime antimalware detection and blocking GA | GA | General availability of runtime antimalware detection and blocking for containers. |
| π’ | Sensor v0.10.5 - Bottlerocket OS support GA | GA | General availability of Bottlerocket OS support. |
| π’ | Sensor v0.10.5 - Nexus Baremetal cluster compatibility | GA | Improved compatibility with Nexus Baremetal clusters. |
| π΄ | Sensor v0.10.5 - Go dependency security fixes | Security | Upgraded Go and related dependencies to address security vulnerabilities. |
| π’ | Sensor v0.9.58 - Bottlerocket OS support GA | GA | General availability of Bottlerocket OS support. |
| π’ | Sensor v0.9.58 - Nexus Baremetal cluster compatibility | GA | Improved compatibility with Nexus Baremetal clusters. |
| π΄ | Sensor v0.9.58 - Go dependency security fixes | Security | Upgraded Go and related dependencies to address security vulnerabilities. |
| π’ | Sensor v0.8.51 - Nexus Baremetal cluster compatibility | GA | Improved compatibility with Nexus Baremetal clusters. |
| π΄ | Sensor v0.8.51 - Go dependency security fixes | Security | Upgraded Go and related dependencies to address security vulnerabilities. |
π¨ Microsoft Defender XSPM (Exposure Management)
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | Senior Executive User Workstation classification | Update | New predefined Device classification rule for critical assets list; relies on Senior Executive identity classifications. |
π‘οΈ Microsoft Defender Cloud
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π‘ | Private clusters protection for gated deployment, binary drift, malware detection | Preview | Defender sensor extends to private cluster scenarios for container protection. |
| π‘ | Malware detection for EKS and GKE nodes | Preview | Kubernetes node malware coverage expanded beyond AKS to multicloud environments. |
| π’ | On-demand malware scanning of Azure Files | GA | Extend on-demand scanning to Azure Storage accounts containing blobs and files. |
| π’ | Defender for Open-Source Relational Databases on AWS RDS (GA June 1) | GA | Billing begins June 1, 2026; auto-transition from preview; opt-out available. |
| π‘ | Cloud security reporting in Microsoft Defender portal | Preview | Create, customize, and share CNAPP Executive Summary and Cloud Posture reports with PDF export. |
| π‘ | Scanning support for Docker Hardened container images | Preview | Vulnerability scanner extends to Docker Hardened images; may increase bill. |
| π΅ | Defender Experts for Servers as managed XDR option | Update | Partnered with Microsoft Defender Experts for managed XDR on server workloads across Azure, AWS, GCP, on-prem. |
| π‘ | SQL VA Express Configuration for Azure SQL Managed Instance and Synapse | Preview | Microsoft-managed storage for vulnerability baselines; no customer-managed storage account required. |
| π΅ | Updated Helm installation for Defender for Containers sensor | Update | Direct Helm chart deployment instead of installation scripts for AKS, EKS, GKE. |
| β« | Deprecation of legacy grouped recommendations (removal July 31, 2026) | Deprecation | Individual recommendations now GA; grouped types tagged βSet for deprecationβ and removed July 31. |
| π΅ | Daily score calculation enhancement for risk-based Cloud secure score | Update | End-of-day snapshots instead of averaged values; historical values recalculated. |
| π‘ | Defender for Cloud integration into Defender portal | Preview | Unified cloud security dashboard, posture management, risk-based secure score, and centralized asset inventory. |
| π΄ | Defender for Cloud and GitHub Advanced Security integration | Security | GA integration connecting runtime security signals with code-level vulnerability management; bidirectional sync, AI-powered remediation, security campaigns. |
π‘οΈ Microsoft Defender Unified SecOps
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | No specific May 2026 updates listed | Update | Page references general unified SecOps capabilities. |
π― Microsoft Defender XDR
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | Defender Experts for Servers as standalone offerings | Update | Managed XDR and threat hunting for on-premises and multicloud servers now standalone (previously add-ons to XDR). |
| π‘ | Automatic attack disruption - device isolation | Preview | High-confidence incident analysis can isolate compromised devices from the network; time-limited, scoped, releasable. |
| π΅ | Advanced hunting Take action wizard - allow/block TLDs and attachment hashes | Update | Allow or block top-level domains and file attachment hashes in emails based on query results. |
| π’ | Hunting graph identity-focused predefined scenarios | GA | New scenarios for Kerberoast, AS-REP roast, domain compromise, OAuth app risks, guest user access. |
| π‘ | Defender Chat experience | Preview | Open prompt chat assistant built into Defender for SOC analysts to investigate threats in plain language. |
π Microsoft Defender Endpoint
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1 | GA | Advanced protection for legacy Windows devices via Defender deployment tool. |
| π‘ | Enhanced exposure score in Defender Vulnerability Management | Preview | New model incorporating EPSS exploit prediction data and asset context (internet-facing, criticality). |
| π‘ | Schedule antivirus scans on Linux | Preview | Configure hourly quick, interval-based quick, and weekly full scans with low-priority and idle-time options. |
| π‘ | Automatic device isolation (automatic attack disruption) | Preview | Time-limited network isolation blocking attacker communication while keeping security services connected. |
| π’ | Custom data collection | GA | Rule-based telemetry collection beyond defaults; max event limit increased from 25,000 to 75,000 per device per 24h. |
| π’ | Configure offline security intelligence update settings for Linux from portals | GA | Configure offline update settings for Linux from Defender and Intune portals. |
| π‘ | Selective Response Actions | Preview | Tailor high-impact security operations on Tier-0 systems and high-value assets during onboarding. |
| π’ | Windows Defender Antivirus Platform 4.18.26040.7 / Engine 1.1.26040.8 | GA | See endpoint-release-notes for details. |
πΏ MDE Detailed Releases
Windows
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | Windows Antivirus Platform 4.18.26050.15 / Engine 1.1.26050.11 | Update | May 2026 release with security intelligence 1.453.4.0; support phase: Security and Critical Updates. |
| π΅ | Fixed remote-share file scans missing detections via symlink | Update | File scans through symlinks now correctly detect threats. |
| π΅ | Fixed mpcmdrun -scan non-ASCII character display in localized paths | Update | Output no longer displays incorrect characters in localized paths and threat names. |
| π΅ | Fixed network protection watchdog timers silently not firing | Update | Watchdog timers now correctly fire instead of failing silently. |
macOS
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | macOS 15.0.1 minimum support; macOS 11 (Big Sur) and 12 (Monterey) no longer supported | Update | Minimum supported version updated; older macOS versions end of life. |
Linux
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | Regular monthly updates with security fixes | Update | Security fixes included as part of monthly releases; see Microsoft Security Update Guide for details. |
π’ Microsoft Entra ID
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π‘ | Soft-delete for Microsoft Entra Device objects | Preview | Recoverable device deletion with defined retention period; supports all join types. |
| π΅ | NetBiosName resolution test reclassified to informational | Update | No longer generates alerts; reduces noise in Connect Health alert feed. |
| π΅ | Enhanced admin authorization for Entra Connect Sync config changes | Update | Interactive admin sign-in required for sync configuration changes via wizard and PowerShell. |
| π΅ | Workload identity-based authentication for SAP SuccessFactors provisioning | Preview | Short-lived tokens replace static credentials; prepare for SAP basic auth deprecation by November 2026. |
| π‘ | Sensitivity labels for Microsoft Entra security groups | Preview | Apply Purview sensitivity labels to govern guest access settings on security groups. |
| π’ | Account Discovery for connected applications | GA | Visibility into all accounts including orphan accounts via provisioning discovery reports. |
| π’ | Cross tenant group synchronization | GA | Synchronize security groups across tenants with centralized membership management. |
| π΅ | Modernized My Account pages (Devices, Personal Info, Organizations) | Update | GA by end of June 2026; BitLocker keys more prominent; improved leave-organization flow. |
| π’ | Passkeys (FIDO2) support in Registration Campaigns | GA | Configure campaigns to nudge users to register passkeys during sign-in. |
| π΅ | Automate user attribute updates in Lifecycle Workflows | Preview | Set or clear attribute values directly within workflows with auditable governance. |
| π’ | System-preferred authentication extended to first-factor | GA | Users with phishing-resistant credentials may skip password entry entirely. |
| π’ | High Scale Compatibility mode for Entra External ID | GA | Migrate from Azure AD B2C while preserving existing user directory for large-scale migrations. |
| π΅ | Expanded passkey (FIDO2) policy storage | Update | Dedicated 20-KB allocation for passkey policy; max profiles increased from 3 to 10. |
| π‘ | Azure Role assignments governed via Entitlement Management | Preview | Govern Azure role assignments at MG/Sub/RG level through access packages with JIT and least privilege. |
| π’ | Manage Agent ID sponsorship lifecycle with Lifecycle Workflows | GA | Automatic sponsor transfer on departure; notification workflows for sponsorship changes. |
π Microsoft Fabric
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π‘ | Eventstream Business Events publisher | Preview | Filter, aggregate, threshold, and emit governed business signals from Eventstream canvas with no code. |
| π‘ | Service principal support for Fabric data agents | Preview | SPN authentication for data agent API; custom apps and Foundry agents use application identity instead of delegated user tokens. |
ποΈ Microsoft Foundry
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Trace-based evaluation for external and hosted agents | GA | Grade production traces from Foundry, GCP, AWS, or any framework without hand-curated datasets. |
| π’ | Grok 4.3 model availability | GA | xAIβs latest model for advanced agentic and domain-specific workloads. |
| π’ | DeepSeek V4 model family | GA | Newest DeepSeek model family expands open-model choice in catalog. |
| π’ | GPT-5 Reinforcement Fine-Tuning (Gated GA) | GA | Enterprise-ready compliance and SLA coverage for RFT. |
| π’ | Managed VNET | GA | Microsoft-managed network isolation reaches general availability. |
| π’ | Project-level cost attribution | GA | See LLM costs by project for budget tracking and governance. |
| π’ | Content Understanding improvements (Read and Layout analyzers GA) | GA | Read and layout analyzers reach GA alongside Logic App connector and Foundry NextGen integration. |
| π΅ | MagenticBrain, Fara1.5-9B, MagenticLite on-device agent projects | Update | Microsoft Research ships three on-device agent projects for reasoning, UI automation, and local workflows. |
| π΅ | SocialReasoning-Bench + STATE-Bench benchmarks | Update | Open-source benchmarks for agent negotiation, coordination, and memory quality. |
| π΅ | Evaluation tooling updates | Update | Skill evaluation, workflow evaluation UX improvements, alignment across VS Code and portal. |
| π΅ | Foundry Local 1.1 + 1.2 | Update | Live audio transcription, text embeddings, Qwen 3.5 Vision, multilingual ASR, Linux ARM64, ONNX Runtime 1.26. |
| π΅ | azure-ai-projects SDK 2.2.0 | Update | Preview skills and toolboxes; external agent definitions, model weight registry, routines, optimization jobs. |
π Microsoft Defender Identity
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | Sensor v3.x supports all identity roles on domain controllers | Update | Supports Microsoft Entra Connect, AD FS, and AD CS identity roles on domain controllers. |
| π΅ | Increased sensor capacity (1,000 per workspace) | Update | Increased from previous limit of 350; contact support for more than 1,000. |
| π΄ | New security alerts related to Entra ID | Security | 8 new alerts: guest user promoted to member, user created as Global Admin, failed credential abuse, randomized user agent, stolen session cookie (2 alerts), Conditional Access bypass via non-compliant device, suspicious third-party MFA method addition. |
| π΅ | Known limitation: Windows Server 2025 sensor v2.x to v3.x migration not supported | Update | Continue using v2.x on WS2025 DCs until migration support is available. |
π§ Microsoft Defender Office 365
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | No specific May 2026 feature updates listed | Preview | Page references general Defender for Office 365 capabilities and trial availability. |
π Microsoft Purview
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Data security and compliance protections for Microsoft Agent 365 | GA | GA of data security and compliance protections for AI agents. |
| π’ | Standalone data asset data quality scan | GA | GA of standalone data quality scanning for data assets. |
| π’ | Incremental data quality scan | GA | GA of incremental data quality scanning. |
| π’ | Configurable data quality thresholds | GA | GA of configurable thresholds for data quality rules and assets. |
| π΅ | DLP admin permissions for unmanaged cloud apps in Edge | Update | Added Directory Reader, Edge, and Intune admin permissions required for DLP activation. |
| π΅ | DLP Edge browser profile scope clarified | Update | Unmanaged app policies apply across all Edge profiles; managed app policies apply only in work profile. |
| π΅ | DeepL and Zapier removed from unmanaged AI app list | Update | Removed from browser policy supported list. |
| π‘ | Block access for specific external domains/users in DLP | Preview | New sub-option for Restrict access action in SharePoint/OneDrive DLP policies. |
| π’ | OCR support in Data Security Investigations | GA | Automatic OCR processing of image files for AI analysis. |
| π’ | Custom examinations in Data Security Investigations | GA | Define custom prompts for analysis beyond built-in examination areas. |
| π΅ | Large audit search results guidance | Update | New guidance for working with results exceeding ~3,000 items. |
| π’ | Data Security Posture Management new version GA | GA | Guided workflows for proactive risk management; partner solutions and DSPM Agent remain in preview. |
| π’ | Administrative units support in DSPM | GA | Parity with classic DSPM and DSPM for AI versions. |
| π΅ | Inactive tenant processing pause (60+ days) | Update | Processing paused for M365 data when tenants inactive >60 days; auto-resume on return. |
| π΅ | Anthropic Claude (Enterprise) data connector | Preview | Claude displays alongside other AI apps in Purview with activity explorer support. |
| π‘ | Scanner cluster-level feature control from PowerShell | Preview | Enable, disable, and configure scanner features via PowerShell. |
| π‘ | Custom Reporting for scanner | Preview | Additional columns and tables in scanner database for custom Power BI/SQL reports. |
| π‘ | Custom posture reports | Preview | Build tailored views of information protection and DLP activity. |
| π‘ | Manual labeling support for MP4 files in SharePoint/OneDrive | Preview | Rolling out sensitivity label support for video files. |
| π‘ | Apply meeting label to artifacts (recordings, transcripts, notes) | Preview | Auto-apply meeting sensitivity label to recordings and notes. |
| π‘ | Label policy sync status visibility | Preview | See sync status of publishing policies on Label policies page. |
| π΅ | Disabling sensitivity labels for SharePoint/OneDrive documentation | Update | Updated documentation for opt-out behavior after labels enabled. |
| π’ | Policy-level labeling activity for SharePoint/OneDrive | GA | Per-policy review pages for monitoring daily labeling activity and investigating failures. |
π€ Microsoft Security Copilot
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π΅ | No specific May 2026 feature updates listed | Update | Page references ongoing improvements; revisit regularly. |
π Microsoft Sentinel
| Indicator | Feature | Type | Description |
|---|---|---|---|
| π’ | Generate playbooks using AI (SOAR playbook generator) | GA | Python-based automation workflows coauthored via conversational AI with Cline coding agent. |
| π΅ | UEBA enhancements: New settings experience | Update | Consolidated UEBA and Behaviors Settings view from new UEBA tab in Sentinel settings. |
| π΅ | UEBA Okta V2 support | Update | OktaV2_CL table support alongside Okta_CL for Anomalous Activity and Anomalous MFA Failures detections. |
| π΅ | UEBA GCP anomaly detections (5 new) | Update | New detections for unusual login behavior, privileged actions, resource deployments, secret/KMS key access, infrastructure usage patterns. |
Top 5 Action Items
| Priority | Action | Due | Affected Product(s) |
|---|---|---|---|
| π΄ | Upgrade AKS clusters to v1.33+ if using Container Insights to eliminate nodes/proxy RCE risk | ASAP | AKS |
| π΄ | Patch AKS nodes against CVE-2026-31431 βCopy Failβ (CVSS 7.8 LPE) | ASAP | AKS |
| π΄ | Apply Kubernetes patch versions 1.35.5/1.34.8/1.33.12 addressing multiple CVEs | ASAP | AKS |
| π΄ | Migrate Windows Server Annual Channel node pools to LTSC before May 15, 2027 | May 15, 2027 | AKS |
| π΄ | Migrate Flatcar Container Linux node pools to Azure Container Linux before June 8, 2026 | June 8, 2026 | AKS |
| π‘ | Plan migration of SAP SuccessFactors provisioning from basic auth to workload identity-based auth | November 2026 | Entra ID |
| π‘ | Evaluate and adopt Defender for Cloud integration into Defender portal for unified CNAPP | Ongoing | Defender Cloud |
| π‘ | Review and tune new Defender for Identity Entra ID security alerts (8 new) | Ongoing | Defender Identity |
| π‘ | Enable on-demand malware scanning for Azure Files in Defender for Storage | Ongoing | Defender Cloud |
| π’ | Adopt AKS end of support notifications for proactive version management | Ongoing | AKS |
| π’ | Evaluate Copilot Studio agent inventory schema for agent governance | Ongoing | Copilot Studio |
| π’ | Review Purview Data Security Posture Management GA for proactive data risk management | Ongoing | Purview |
Security Architect Observations
AKS defense-in-depth upgrades: The
nodes/proxyRCE risk (AKS-2026-0004) on pre-1.33 clusters with Container Insights requires immediate upgrade planning. Combined with CVE-2026-31431 βCopy Failβ (LPE requiring node code execution), the defense-in-depth posture for AKS clusters must include both Kubernetes version upgrades and kernel patching. The new managed system node pool security restrictions (blocking SSH keys, externalIPs, port-forward, kube-system secret access) on AKS Automatic represent a significant hardening baseline for new clusters.Multicloud container security expansion: Defender for Cloud now extends malware detection to EKS and GKE nodes (preview), Docker Hardened image scanning (preview), and on-demand malware scanning for Azure Files (GA). Security architects should plan for unified container threat detection across AKS, EKS, and GKE with the Defender sensor v0.10+.
Entra ID identity security modernization: Multiple changes strengthen the identity plane: system-preferred authentication now covers first-factor (phishing-resistant credentials may skip passwords), passkey policy storage expanded (dedicated 20KB, up to 10 profiles), workload identity-based auth for SAP SuccessFactors (prepare for Nov 2026 basic auth deprecation), and enhanced admin authorization for Entra Connect Sync changes. These collectively reduce reliance on passwords and static credentials.
Defender for Cloud + GitHub Advanced Security integration (GA): Runtime-to-code vulnerability correlation with bidirectional sync and AI-powered remediation creates a new DevSecOps feedback loop. Security architects should evaluate this integration for bridging cloud security posture with developer workflows.
Deprecation wave in AKS: Four concurrent deprecations (Istio asm-1-27, Windows Server Annual Channel, Windows Server 2019, Flatcar Container Linux) require coordinated migration planning. The Windows Server 2019 and Flatcar timelines are particularly urgent (June/September 2026).
Purview DSPM GA with AI data governance: The new DSPM version, Anthropic Claude connector, and Agent 365 protections signal expanding data security posture management to cover AI application data flows. Architects should plan for unified data security across Copilot, Copilot Studio, ChatGPT Enterprise, and Claude.
Security Operations Observations
New Defender for Identity Entra ID alerts (8 new): SOC teams must review and tune alerts for stolen session cookies, Conditional Access bypass via non-compliant devices, suspicious MFA method additions, and guest account promotions. These expand identity threat detection beyond on-premises AD to cloud Entra ID attack paths.
Automatic attack disruption with device isolation (Preview): SOC workflows should account for time-limited automatic device isolation triggered by high-confidence incidents. Operators can release isolation at any time, but the automated response changes incident response playbooks for containment.
Defender Chat experience (Preview): The open prompt chat assistant in Defender enables plain-language investigation. SOC analysts should evaluate this for reducing time-to-investigate without navigating multiple screens or writing complex KQL queries.
Sentinel UEBA enhancements: New GCP anomaly detections (5) and Okta V2 support expand UEBA coverage. SOC teams should validate the new UEBA settings experience and ensure Okta V2_CL table is onboarded for anomaly detection coverage.
Cloud security reporting in Defender portal (Preview): CNAPP Executive Summary and Cloud Posture reports with PDF export enable streamlined reporting for leadership. SOC teams can use these for regular posture reporting without manual data aggregation.
Defender for Cloud daily secure score recalculation: End-of-day snapshots replace averaged values. SOC teams should note that historical values have been recalculated, which may affect trend comparisons. The risk-based Cloud secure score now incorporates individual recommendations.
References
This post is licensed under CC BY 4.0 by the author.